CVEs from 2026
Total
14,770
critical
critical 1,334
high
high 4,998
medium
medium 4,817
low
low 502
% Critical
9.0%
% with KEV
0.4%
% with exploit
0.7%
Top vendors
Top products
- chrome 723
- firepower_threat_defense_software 310
- gcp 299
- firepower_threat_defense 298
- openclaw 172
- commerce 104
- netweaver_application_server_abap 102
- commerce_b2b 89
Top packages
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-48027 | critical | 9.8 | 10.0 | 10d ago | Nx Console contains an embedded malicious code vulnerability that allowed a malicious version of Nx Console to be published. The compromised extension fetched an obfuscated payload that could harvest… | |||
| CVE-2026-45247 | critical | 9.8 | 10.0 | 11d ago | Mirasvit Full Page Cache Warmer for Magento 2 before version 1.11.12 contains a PHP object injection vulnerability that allows unauthenticated attackers to achieve remote code execution by supplying … | |||
| CVE-2026-48172 | critical | 9.8 | 10.0 | 16d ago | LiteSpeed cPanel Plugin contains privilege escalation vulnerability that is exposed via the user-end cPanel plugin, which can be abused by any cPanel user account to execute arbitrary scripts with ro… | |||
| CVE-2026-9082 | critical | 9.8 | 10.0 | 17d ago | Drupal Core contains a SQL injection vulnerability that could allow for privilege escalation and remote code execution via specially crafted requests sent with the database abstraction API. | |||
| CVE-2026-8398 | critical | 9.8 | 10.0 | 22d ago | Daemon Tools contains an unspecified vulnerability that has a high impact on confidentiality, integrity, and availability. | |||
| CVE-2026-20182 | critical | 10.0 | 10.0 | 23d ago | Cisco Catalyst SD-WAN Controller & Manager contain an authentication bypass vulnerability that allows an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges… | |||
| CVE-2026-0257 | critical | 9.1 | 10.0 | 24d ago | Palo Alto Networks PAN-OS contains an authentication bypass vulnerability that allows attackers to bypass security restrictions and establish an unauthorized VPN connection. | |||
| CVE-2026-45321 | critical | 9.6 | 10.0 | 25d ago | TanStack contains an unspecified vulnerability that allowed malicious versions of the product to be published to the npm registry to publish credential-stealing malware under a trusted identity. | |||
| CVE-2026-42208 | critical | 9.8 | 10.0 | 29d ago | BerriAI LiteLLM contains a SQL injection vulnerability that allows an attacker to read data from the proxy's database and potentially modify it, leading to unauthorized access to the proxy and the cr… | |||
| CVE-2026-0300 | critical | 9.8 | 10.0 | 1mo ago | Palo Alto Networks PAN-OS contains an out-of-bounds write vulnerability in the User-ID Authentication Portal (aka Captive Portal) service that can allow an unauthenticated attacker to execute arbitra… | |||
| CVE-2026-31431 | high | 7.8 | 10.0 | 1mo ago | Important: kernel security update | |||
| CVE-2026-41940 | critical | 9.8 | 10.0 | 1mo ago | WebPros cPanel & WHM (WebHost Manager) and WP2 (WordPress Squared) contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized a… | |||
| CVE-2026-33017 | critical | 9.8 | 10.0 | 3mo ago | Langflow contains a code injection vulnerability that could allow building public flows without requiring authentication. | |||
| CVE-2026-24858 | critical | 9.8 | 10.0 | 4mo ago | Fortinet FortiAnalyzer, FortiManager, FortiOS, and FortiProxy contain an authentication bypass using an alternate path or channel that could allow an attacker with a FortiCloud account and a register… | |||
| CVE-2026-42897 | high | 8.1 | 9.6 | 23d ago | Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network. | |||
| CVE-2026-41091 | high | 7.8 | 9.3 | 17d ago | Improper link resolution before file access ('link following') in Microsoft Defender allows an authorized attacker to elevate privileges locally. | |||
| CVE-2026-33825 | high | 7.8 | 9.3 | 2mo ago | Microsoft Defender contains an insufficient granularity of access control vulnerability that could allow an authorized attacker to escalate privileges locally. | |||
| CVE-2026-28318 | high | 7.5 | 9.0 | 2d ago | SolarWinds Serv-U is susceptible to specially crafted POST requests that crash the Serv-U service without authentication using Content-Encoding: deflate. Mitigation steps are provided to secure custo… | |||
| CVE-2026-6973 | high | 7.2 | 8.7 | 1mo ago | Ivanti Endpoint Manager Mobile (EPMM) contains an improper input validation vulnerability that allows a remotely authenticated user with administrative access to achieve remote code execution. |